All About Spam is a series of blog posts about common spammer techniques. Have a question about a type of spam that you'd like to see in a future blog post? Leave a comment, or send an email to firstname.lastname@example.org!
A phish is a type of spam designed to gain access your secure information, like login/password combinations, credit card numbers or Social Security numbers. Phishers use social engineering to get you to reveal this information -- rather than using computers to hack their way into the data store, they use tricks of human nature to get you to give it to them.
Unlike most spam, which is just annoying, phishing has a real threat. Though estimates of the final total vary, everyone agrees millions of dollars are lost by consumers each year due to phishing attacks. So, how can you protect yourself?
1. Question unsolicited emails. Obviously, if you go to your bank's website, and click the "Forgot password?" link, you should expect an email shortly. If you get an email from your bank (or Amazon, or any other organization) out of the blue, asking you to log in to your account, view it with a critical eye.
2. View links with suspicion. The number 1 method for phishers is a link that directs you to a page that looks legitimate, but isn't. The easiest way to get around this method? If your bank emails you and asks you to log in, type in the URL you know is good (or Google for it, if you don't know it), rather than using the link in the email.
3. Look for personalized information. This method isn't foolproof ("spear phishing" refers to more focused messages, attempting to get information from more specific groups -- which allows for more customized messages), but it's a good starting place. For instance, most banks will include your name when sending you a message, plus some portion of your account number. Transactional emails, like receipts, are also generally safe bets -- you can recognize, "is this something I ordered?"
4. Keep a close eye on details. Many phishing messages have somewhat obvious problems. Misspellings, poor grammar, bad addresses, colors that are slightly off, formatting that doesn't quite match the usual messages you see ... all of these should be tip-offs that something not quite right is afoot.
5. Never enter your financial information on an insecure web page. Credit card numbers, bank login credentials, account numbers and any other secure data should only be entered on secured web pages. Look for https:// URLS and a lock icon on your browser.
The most important thing to remember is, just because a message looks like it's from a legitimate organization, doesn't mean it is. The first phishing schemes revolved around a few large organizations -- AOL, Wells Fargo, Bank of America. It was easy to detect these as fakes, if you didn't have an account at one of these places. Using the same level of suspicion when dealing with emails from organizations where you do have an account could protect you from a very painful error.